IETF Logo Mail Archive

Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)

Christer Holmberg <christer.holmberg@ericsson.com> Sun, 07 August 2016 11:10 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 717EE12D08F for <stir@ietfa.amsl.com>; Sun, 7 Aug 2016 04:10:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hSLh2nw_x9B3 for <stir@ietfa.amsl.com>; Sun, 7 Aug 2016 04:10:05 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6107E12B027 for <stir@ietf.org>; Sun, 7 Aug 2016 04:10:03 -0700 (PDT)
X-AuditID: c1b4fb30-abfff700000009f9-19-57a71709fbfa
Received: from ESESSHC004.ericsson.se (Unknown_Domain [153.88.183.30]) by (Symantec Mail Security) with SMTP id FD.40.02553.90717A75; Sun, 7 Aug 2016 13:10:02 +0200 (CEST)
Received: from ESESSMB208.ericsson.se ([169.254.8.233]) by ESESSHC004.ericsson.se ([153.88.183.30]) with mapi id 14.03.0301.000; Sun, 7 Aug 2016 13:10:00 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Peterson, Jon" <jon.peterson@neustar.biz>
Thread-Topic: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
Thread-Index: AQHR71RqNDyuE1zws0qpi74VpghCbqA8FdqAgAFD+DQ=
Date: Sun, 07 Aug 2016 11:10:00 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B4BBB7359@ESESSMB208.ericsson.se>
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <D3C152B2.1A69BA%jon.peterson@neustar.biz> <b096b541-c8af-9617-c9d7-5a1beb5230e8@dcrocker.net> <D3C16040.1A6A09%jon.peterson@neustar.biz> <d66d91f0-9ea2-6295-e749-e48ea37b4892@dcrocker.net> <cfd714ce-6145-1b60-aca2-ae702a8c133d@dcrocker.net> <7594FB04B1934943A5C02806D1A2204B4771FF73@ESESSMB209.ericsson.se> <5fdf4ad3-1528-3d79-6bdb-b5eb350e5c2a@alum.mit.edu> <dbb24381-55fd-fa64-d32b-fcc50265ccab@dcrocker.net> <7594FB04B1934943A5C02806D1A2204B47723C55@ESESSMB209.ericsson.se>, <503738d8-c166-dfc1-d153-338d56b844c1@dcrocker.net>, <7594FB04B1934943A5C02806D1A2204B4BBB1D69@ESESSMB208.ericsson.se>, <51D45AE5-67D2-4120-BCA2-7BFC845E2126@neustar.biz>
In-Reply-To: <51D45AE5-67D2-4120-BCA2-7BFC845E2126@neustar.biz>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B4BBB7359ESESSMB208erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNIsWRmVeSWpSXmKPExsUyM2K7nC6X+PJwg1mnmC1+f/rAZnGmwdJi xYYDrBbL125jcmDx+Pv+A5PHpZ0n2TyWLPnJ5LGj4TlzAEsUl01Kak5mWWqRvl0CV8bSBy9Y C5YmVtw/bdrA+DCoi5GTQ0LAROLXg5tMXYxcHEIC6xkl3rX+Y4ZwFjNK3Jo5DSjDwcEmYCHR /U8bpEFEQE/i2/cZTCA2s0CJxPxdp1lAbGGBQImm3jZGiJogidcH/7JD2FYSv+afZAaxWQRU JOZ1HQOL8wr4SjS+PQq1+DarxLqzz8GGcgrYS5ztuw02lFFATOL7qTVQy8Qlmr6sZIW4WkBi yZ7zzBC2qMTLx/9YIWryJd72/2WEWCAocXLmE5YJjMKzkLTPQlI2C0kZRNxA4sv721C2tsSy ha+ZIWx9ie73p5mQxRcwsq9iFC1OLU7KTTcy0kstykwuLs7P08tLLdnECIyyg1t+G+xgfPnc 8RCjAAejEg+vwrRl4UKsiWXFlbmHGCU4mJVEeO+JLg8X4k1JrKxKLcqPLyrNSS0+xCjNwaIk zuv/UjFcSCA9sSQ1OzW1ILUIJsvEwSnVwJhcZrVmF+/qI68kHZyn231/ZefwXKLC4BOjyJRa Tv/PKstWiDwrvpCV57r2ZWDdw2P7K/LfClSfmL96e/XEb2wRuk9F761zz+PUmjBDtOXKipSw ZexKi9fGW6423t1VVTp55T3FXSd8ayVkAuofF6yc8JbZjm2Zptx6nmWla4SK1hubLvyu81CJ pTgj0VCLuag4EQD0sQAIrgIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/9fpUCQE8ax_M-yxqeaLk5v9pUt8>
Cc: "stir@ietf.org" <stir@ietf.org>, "dcrocker@bbiw.net" <dcrocker@bbiw.net>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Subject: Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2016 11:10:07 -0000

Hi Jon,

My point is that (as you also wrote) how PASSporT is used with SIP is covered in 4424bis. Whether the current text is sufficient enough or not is a separate discussion, not related to draft-passport.

Regards,

Christer

Sent from my Windows Phone
________________________________
From: Peterson, Jon<mailto:jon.peterson@neustar.biz>
Sent: ‎06/‎08/‎2016 20:50
To: Christer Holmberg<mailto:christer.holmberg@ericsson.com>
Cc: dcrocker@bbiw.net<mailto:dcrocker@bbiw.net>; Paul Kyzivat<mailto:pkyzivat@alum.mit.edu>; stir@ietf.org<mailto:stir@ietf.org>
Subject: Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)

Briefly, there is and always has been a "bare minimum" set of headers and claims that are mandatory for PASSporT. Ultimately, the question of what headers and claims are mandatory in PASSporT is a stir-passport question. SIP as a using protocol of PASSporT defines only which fields in a SIP request will populate those mandatory components of a PASSporT object, and that information is given in considerable detail in RFC 4474bis today.

Extensions may propose additional claims that will appear in PASSporT objects. The extensibility model of PASSporT is similarly a matter for the PASSporT spec rather than RFC 4474bis, though we anticipate that extensions may want to specify some initial using protocol behavior as well. We should have a few examples of that soon.

Jon Peterson
Neustar, Inc.

Sent from my iPad

On Aug 5, 2016, at 4:03 PM, Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote:

Hi Dave,

I don't know whether the WG has yet decided whether there will be options and alternatives (i.e. whether sending of claims/headers will be mandatory, optional or forbidden) - so we don't yet know whether there will be an "if" :)

But, if there will be an "if", 4424bis needs to describe how to correctly handle the different options and alternatives.

Regards,

Christer

Sent from my Windows Phone
________________________________
From: Dave Crocker<mailto:dhc@dcrocker.net>
Sent: ‎05/‎08/‎2016 17:20
To: Christer Holmberg<mailto:christer.holmberg@ericsson.com>; Paul Kyzivat<mailto:pkyzivat@alum.mit.edu>
Cc: stir@ietf.org<mailto:stir@ietf.org>
Subject: Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)

Christer,


On 8/4/2016 11:45 PM, Christer Holmberg wrote:
>
> The receiver needs to be able to parse JSON if the sender includes the
> claims, in order to verify the signature.

Alternatives and options make specifications more complex and often
introduce potential non-determinacies.  So the 'if' that you cite is not
a small matter.

In practical terms, the 'if' means that verifiers must be able to parse
json as well as encode it.


> Also, whatever headers we include, I assume the receiver should be able
> to parse them.
>
> But, parsing JSON is not a difficult thing to do, and there are
> available libraries for those who don't want to implement the parser
> themselves.

Just to make sure this sub-thread retains its context:  I did not
comment on the choice of JSON/JWT in the actual review.  It's not an
irrational or horrible choice.

But it does add overhead.  It adds it to the effort needed to understand
the specifications.  And it adds it to the software.  (It might also add
it to the execution of the software, but I suspect that is, at worst, a
negligible difference here.)

One of the more deceptive parts of writing standards is the seduction of
"is not a difficult thing to do".  In most cases where that sort of
comment is offered, it is quite true.  The problem is with incremental
complexities.  A not-difficult here; a not-difficult there... They
really do mount up.

By way of example, having to send the reader off to become proficient in
two additional specifications is not a small increment in developmental
overhead, especially when those specification have no natural -- ie,
pre-occurring -- relevance to the current work.

d/
--

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net<http://bbiw.net>
_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email